On Jul 15, 2021, at 10:24 AM, Carolin Baumgartner <la...@angry-red-pla.net> wrote: > > Section 3.1, first bullet point on automation: I would mention "zero touch". > That should be the goal from a user's perspective.
Sure. > Section 3.1, fifth (sixth) bullet point on mutual exchange of identities: How > is that supposed to work? Don't get me wrong, I understand the rationale. But > that requires a user to understand if the identity of the server is correct. > I don't think that is a safe assumption. The rest of the document tries to address this. The idea is that the device uses the web root CAs to download a trusted CA for this domain, when using EAP. Then, the device can tell the user that the EAP server for this domain is trusted. Because it has a signed certificate by a known CA. > Section 3.1, last bullet point: I agree on the technical rationale. However > that must be dead simple to verify from a user perspective Yes. It has to be managed automatically. > General comment: EAP configuration and implementation is certainly one issue, > but the whole certificate stuff is terrible from a user's point of view. We > could try to solve it in this draft, but it certainly touches a lot of topics. The goal of the draft is to leverage the web root, in order to bootstrap trust in EAP. The only real thing that the user needs to do is to enter: Name: my.n...@example.com Password: superSecret Provided there's some network connection available, everything else can be automatic. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu